Subscription Resource Stores Access Key Unencrypted in State #78
Labels
enhancement
New feature or request
Comments
|
Yes, this seems like it's a good idea! The implementation is actually relatively straightforward: https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_iam_access_key.go#L88 I'm not sure when we would be able to add this (but of course contributions are also welcomed ;) ). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The subscription resource type requires a parameter
access_secretwhich is stored in the state file in plaintext. While the state file can be encrypted, Terraform's owniam_access_keyresource suggest supplying a PGP key that can be used to additionally encrypt the secret before storing it in state.Terraforms management of secrets in state does seem to cause a fair bit of debate - and it has been proposed that some encrypt / decrypt interpolation functions should be added to Terraform core hashicorp/terraform#15434.
I'm not sure if maybe there is a middle-ground position that we could take in the meantime? Perhaps adding another optional parameters
access_secret_encrypted?The text was updated successfully, but these errors were encountered: